1、,路由器安全 n在路由器上配置一個本地登錄帳戶和加密口 令。 Router(config)# username root secret My$Password n在路由器上配置一個本地登錄帳戶和明文口令。 Router(config)# username root password My$Password,路由器安全 配置了用戶名后，必須啟用使用該用戶名來認(rèn) 證登陸連接。 Router(config)# line con 0 Router(config-line)# login local Router(config)# line aux 0 Router(config-line)# logi

2、n local Router(config)# line vty 0 4 Router(config-line)# login local,路由器安全 在路由器上配置一個域名 Router-Branch-23(config)# ip domain name 禁用Web服務(wù) Cisco路由器還在缺省情況下啟用了Web服務(wù)，它是一個安全風(fēng)險(xiǎn)，最好將它關(guān)閉。舉例如下： Router(config)# no ip http server,路由器安全 為進(jìn)入特權(quán)模式設(shè)置口令 設(shè)置進(jìn)入特權(quán)模式的口令enable secret命令 。 這個命令用MD5加密方法加密口令，所以提示符不以明文顯示。舉例如下：Ro

3、uter(config)# enable secret My$Password,路由器安全 加密路由器口令 Cisco路由器缺省情況下在配置中不加密口令。可以使用以下命令加密所有明文口令：Router(config)# service password- encryption,路由器安全 在管理路由器的時(shí)候，可以通過console端口，AUX端口，或Telnet進(jìn)入路由器，通常遇到兩個口令 1）進(jìn)入路由器的口令 2）從一般用戶模式進(jìn)入超級權(quán)限模式的口令 多級權(quán)限配置可以實(shí)現(xiàn)路由器的多級管理： 缺省條件下，Cisco IOS只有一個超級權(quán)限的口令，可以配置Cisco IOS有多達(dá)16個級別的權(quán)限

4、及其口令?？梢栽O(shè)置通過某個級別的口令登錄的用戶只允許使用某些命令。,如何設(shè)置多級管理 設(shè)置某條命令屬于某個級別，在全局設(shè)置模式 下 privilege 模式 level級別命令關(guān)鍵字 注意：Cisco IOS 可以定制0-15個級別權(quán)限。0-15級別中，數(shù)字越大，權(quán)限越高，權(quán)限高的級別繼承低權(quán)限的所有命令，用戶模式是1級，特權(quán)模式是15級，2-14級定制權(quán)限. 設(shè)置某個級別的口令 enable secret level 級別口令,多極管理配置案例 enable secret level 2 5$1$XvWZ$1rd0j5SjVd3172mBzd16e1 privilege configure

5、level 2 line privilege configure level 2 ip route privilege configure level 2 interface privilege configure level 2 ip routing privilege configure level 15 ip privilege exec level 2 start-chat privilege exec level 2 copy running-config startup- config privilege exec level 2 copy running-config privi

6、lege exec level 2 copy privilege exec level 2 configure terminal privilege exec level 2 configure,ACL原理 n為什么要使用 ACLs? Filtering: Manage IP traffic by filtering packets passing through a router Classification: Identify traffic for special handling,1 ACL原理 ACL 應(yīng)用: 過濾 Permit or deny packets moving thro

7、ugh the router. Permit or deny vty access to or from the router. Without ACLs, all packets could be transmitted to all parts of your network.,1 ACL原理 ACL 應(yīng)用: 分類 Special handling for traffic based on packet tests,1 ACL原理 出方向 ACL 原理 If no ACL statement matches, discard the packet.,1 ACL原理 匹配列表: Deny o

8、r Permit,1 ACL原理 ACLs類型 Standard ACL n Checks source address n Generally permits or denies entire protocol suite Extended ACL n Checks source and destination address n Generally permits or denies specific protocols and applications Two methods used to identify standard and extended ACLs: n Numbered

9、ACLs use a number for identification n Named ACLs use a descriptive name or number for identification,1 ACL原理 如何識別ACLs Numbered standard IPv4 lists (199) test conditions of all IP packets for source addresses. Expanded range (13001999). Numbered extended IPv4 lists (100199) test conditions of source

10、 and destination addresses, specific TCP/IP protocols, and destination ports. Expanded range (20002699). Named ACLs identify IP standard and extended ACLs with an alphanumeric string (name).,1 ACL原理 IP Access List 條目序列號 nRequires Cisco IOS Release 12.3 nAllows you to edit the order of ACL statements

11、 using sequence numbers n In software earlier than Cisco IOS Release 12.3, a text editor is used to create ACL statements, then the statements are copied into the router in the correct order. nAllows you to remove a single ACL statement from the list using a sequence number n With named ACLs in soft

12、ware earlier than Cisco IOS Release 12.3, you must use no deny | permit protocol source source-wildcard destination destination- wildcard to remove an individual statement. n With numbered ACLs in software earlier than Cisco IOS Release 12.3, you must remove the entire ACL to remove a single ACL sta

13、tement.,1 ACL原理 ACL配置注意事項(xiàng) n Standard or extended indicates what can be filtered. n Only one ACL per interface, per protocol, and per direction is allowed. n The order of ACL statements controls testing, therefore, the most specific statements go at the top of the list. n The last ACL test is always

14、an implicit deny everything else statement, so every list needs at least one permit statement. n ACLs are created globally and then applied to interfaces for inbound or outbound traffic. n An ACL can filter traffic going through the router, or traffic to and from the router, depending on how it is a

15、pplied. n When placing ACLs in the network: n Place extended ACLs close to the source n Place standard ACLs close to the destination,1 ACL原理 動態(tài)ACLs Dynamic ACLs (lock-and-key): Users that want to traverse the router are blocked until they use Telnet to connect to the router and are authenticated.,1

16、ACL原理 反射 ACLs Reflexive ACLs: Used to allow outbound traffic and limit inbound traffic in response to sessions that originate inside the router,1 ACL原理 基于時(shí)間 ACLs Time-based ACLs: Allow for access control based on the time of day and week,1 ACL原理 反掩碼: 如何校驗(yàn)匹配位 0 means to match the value of the corresp

17、onding address bit 1 means to ignore the value of the corresponding address bit,1 ACL原理 反掩碼位匹配 IP Subnets Match for IP subnets /24 to /24. Address and wildcard mask: 55,1 ACL原理 Wildcard Bit Mask 特例 9 matches all of the address bits Abbrevi

18、ate this wildcard mask using the IP address preceded by the keyword host (host 9) 55 ignores all address bits Abbreviate expression with the keyword any,2 ACL配置與排錯 標(biāo)準(zhǔn) IPv4 ACLs匹配包,2 ACL配置與排錯 Numbered Standard IPv4 ACL 配置 RouterX(config)# access-list access-list-number

19、 permit | deny | remark source mask Uses 1 to 99 for the access-list-number. The first entry is assigned a sequence number of 10, and successive entries are incremented by 10. Default wildcard mask is (only standard ACL). no access-list access-list-number removes the entire ACL. remark lets

20、you add a description to the ACL. RouterX(config-if)# ip access-group access-list-number in | out Activates the list on an interface. Sets inbound or outbound testing. no ip access-group access-list-number in | out removes the ACL from the in,2 ACL配置與排錯 Standard IPv4 ACL 示例1 RouterX(config)# access-

21、list 1 deny 3 RouterX(config)# access-list 1 permit 55 (implicit deny all),(access-list 1 deny 55),RouterX(config)# interface ethernet 0 RouterX(config-if)# ip access-group 1 out Deny a specific host,2 ACL配置與排錯 Standard IPv4 ACL 示例 2 Router

22、X(config)# access-list 1 deny 55 RouterX(config)# access-list 1 permit any (implicit deny all),(access-list 1 deny 55),RouterX(config)# interface ethernet 0 RouterX(config-if)# ip access-group 1 out Deny a specific subnet,Standard ACLs to Control vty 訪 2 ACL配置與

23、排錯 問 RouterX(config-line)# access-class access-list-number in | out Restricts incoming or outgoing connections between a particular vty and the addresses in an ACL Example: access-list 12 permit 55 (implicit deny any) ! line vty 0 4 access-class 12 in Permits only hosts in network

24、 55 to connect to the router vty lines,2 ACL配置與排錯 Extended IPv4 ACLs,Numbered Extended IPv4 ACL 配 2 ACL配置與排錯 置 RouterX(config)# access-list access-list-number permit | deny protocol source source-wildcard operator port destination destination-wildcard operator port established log

25、 Sets parameters for this list entry RouterX(config-if)# ip access-group access-list-number in | out Activates the extended list on an interface,Numbered Extended IPv4 ACL 示 2 ACL配置與排錯例1 RouterX(config)# access-list 101 deny tcp 55 any eq 23 RouterX(config)# access-list 101 permit

26、ip any any (implicit deny all) RouterX(config)# interface ethernet 0 RouterX(config-if)# ip access-group 101 out Deny only Telnet traffic from subnet out E0 Permit all other traffic,2 ACL配置與排錯 Named IP ACL 配置 RouterX(config)# ip access-list standard | extended name Alphanumeric name strin

27、g must be unique RouterX(config std- | ext-nacl)# sequence-number permit | deny ip access list test conditions permit | deny ip access list test conditions If not configured, sequence numbers are generated automatically starting at 10 and incrementing by 10 no sequence number removes the specific te

28、st from the named ACL RouterX(config-if)# ip access-group name in | out Activates the named IP ACL on an interface,2 ACL配置與排錯 Named Standard IPv4 ACL 示例 RouterX(config)#ip access-list standard troublemaker RouterX(config-std-nacl)#deny host 3 RouterX(config-std-nacl)#permit 0.0.

29、0.255 RouterX(config-std-nacl)#interface e0 RouterX(config-if)#ip access-group troublemaker out Deny a specific host,2 ACL配置與排錯 Named Extended IPv4 ACL 示例 RouterX(config)#ip access-list extended badgroup RouterX(config-ext-nacl)#deny tcp 55 any eq 23 RouterX(config-ext-nacl)#permit

30、 ip any any RouterX(config-ext-nacl)#interface e0 RouterX(config-if)#ip access-group badgroup out Deny Telnet from a specific subnet,2 ACL配置與排錯 標(biāo)記 ACL RouterX(config)# ip access-list standard|extended name Creates a named ACL RouterX(config std- | ext-nacl)# remark remark Creates a named ACL comment

31、 Or RouterX(config)# access-list access-list-number remark remark Creates a numbered ACL comment,2 ACL配置與排錯 監(jiān)控 ACL Statements RouterX# show access-lists access-list number|name RouterX# show access-lists Standard IP access list SALES,10 deny , wildcard bits 55,20 permit 30 pe

32、rmit 40 permit Extended IP access list ENG 10 permit tcp host any eq telnet (25 matches) 20 permit tcp host any eq ftp 30 permit tcp host any eq ftp-data Displays all access lists,2 ACL配置與排錯 查看 ACLs RouterX# show ip interfaces e0 Ethernet0 is up, li

33、ne protocol is up Internet address is 1/24 Broadcast address is 55 Address determined by setup command MTU is 1500 bytes Helper address is not set Directed broadcast forwarding is disabled Outgoing access list is not set Inbound access list is 1 Proxy ARP is enabled Security lev

34、el is default Split horizon is enabled ICMP redirects are always sent ICMP unreachables are always sent ICMP mask replies are never sent IP fast switching is enabled IP fast switching on the same interface is disabled IP Feature Fast switching turbo vector IP multicast fast switching is enabled IP m

35、ulticast distributed fast switching is disabled ,2 ACL配置與排錯 排除ACL 故障 Error 1: Host has no connectivity with .,2 ACL配置與排錯 排除ACL 故障 (續(xù)) Error 2: The network cannot use TFTP to connect to .,3 NAT和PAT 網(wǎng)絡(luò)地址轉(zhuǎn)換 An IP address is either local or global. Local IPv4

36、 addresses are seen in the inside network. Global IPv4 addresses are seen in the outside network.,3 NAT和PAT 轉(zhuǎn)換內(nèi)部源地址,3 NAT和PAT 配置和查看靜態(tài)轉(zhuǎn)換 RouterX(config)# ip nat inside source static local-ip global-ip Establishes static translation between an inside local address and an inside global address RouterX(

37、config-if)# ip nat inside Marks the interface as connected to the inside RouterX(config-if)# ip nat outside Marks the interface as connected to the outside RouterX# show ip nat translations Displays active translations,3 NAT和PAT 啟用靜態(tài)NAT配置示例 interface s0 ip address ip nat ou

38、tside ! interface e0 ip address ip nat inside ! ip nat inside source static RouterX# show ip nat translations Pro Inside global Inside local Outside local Outside global,- -,3 NAT和PAT 配置和驗(yàn)證動態(tài)地址轉(zhuǎn)換 RouterX(config)# ip nat pool name start-i

39、p end-ip netmask netmask | prefix-length prefix-length Defines a pool of global addresses to be allocated as needed RouterX(config)# access-list access-list-number permit source source-wildcard Defines a standard IP ACL permitting those inside local addresses that are to be translated RouterX(config

40、)# ip nat inside source list access-list-number pool name Establishes dynamic source translation, specifying the ACL that was defined in the previous step RouterX# show ip nat translations Displays active translations,3 NAT和PAT 動態(tài)地址轉(zhuǎn)換示例 RouterX# show ip nat translations Pro Inside global Inside loca

41、l Outside local Outside global,- 09 00-,- 10 01-,3 NAT和PAT 端口地址轉(zhuǎn)換,3 NAT和PAT 內(nèi)部全局地址超載,3 NAT和PAT 配置超載 RouterX(config)# access-list access-list-number permit source source-wildcard Defines a standard IP ACL that will permit the inside local addresses that a

42、re to be translated RouterX(config)# ip nat inside source list access-list-number interface interface overload Establishes dynamic source translation, specifying the ACL that was defined in the previous step RouterX# show ip nat translations Displays active translations,3 NAT和PAT 超載示例,hostname Route

43、rX ! interface Ethernet0 ip address ip nat inside ! interface Ethernet1 ip address ip nat inside ! interface Serial0 description To ISP ip address ip nat outside ! ip nat inside source list 1 interface Serial0 overload ! i

44、p route Serial0 ! access-list 1 permit 55 access-list 1 permit 55 !,RouterX# show ip nat translations Pro Inside globalInside localOutside localOutside global TCP :1050 :1050 :23:23 TCP :1776 192.1

45、68.4.12:1776 :25:25,3 NAT和PAT 清除 NAT Translation Table RouterX# clear ip nat translation * Clears all dynamic address translation entries RouterX# clear ip nat translation inside global-ip local-ip outside local-ip global-ip Clears a simple dynamic translation entry that contains an

46、inside translation or both an inside and outside translation RouterX# clear ip nat translation outside local-ip global-ip Clears a simple dynamic translation entry that contains an outside translation RouterX# clear ip nat translation protocol inside global-ip global-port local-ip local-port outside

47、 local-ip local-port global-ip global-port Clears an extended dynamic translation entry (PAT entry),3 NAT和PAT show and debug 命令查看信息 RouterX# debug ip nat NAT: s=5-09, d=32 6825 NAT: s=32, d=09-5 21852 NAT: s=5-0

48、9, d=61 6826 NAT*: s=61, d=09-5 23311 NAT*: s=5-09, d=61 6827 NAT*: s=5-09, d=61 6828 NAT*: s=61, d=09-5 23312 NAT*: s=61, d=09-192.168.

49、1.95 23313 RouterX# show ip nat statistics Total active translations: 1 (1 static, 0 dynamic; 0 extended) Outside interfaces: Ethernet0, Serial2 Inside interfaces: Ethernet1 Hits: 5 Misses: 0 ,故障示例: Cannot Ping Remote 3 NAT和PAT Host,故障示例: Cannot Ping Remote 3 NAT和PAT Host (Cont.) RouterA# show ip na

50、t translations Pro Inside global Inside local Outside local Outside global,-,-,There are no translations in the table.,故障示例: Cannot Ping Remote 3 NAT和PAT Host (Cont.),故障示例: Cannot Ping Remote 3 NAT和PAT Host (Cont.) RouterA# show access-list Standard IP access list 20 10 permit , wildcard bits Pings are still failing